News/Publications

Does Pokémon GO Lure You in With a Dangerous Privacy Policy and Terms of Use?

For years, we have been lamenting that our young people spend too much time indoors playing computer games and not enough time outside or connecting with others. Yet, those same critics now condemn young Pokémon Go players who venture out on Pokémon hunts for a myriad of perceived sins including inattentiveness and irresponsible behavior. Critics also revel in slamming Niantic, Inc., the maker of Pokémon GO, for creating another game purportedly aimed at tracking its players' every move and profiting from the data created by each player.

After stripping away the media hype, what's left is a genuinely fun game that encourages its players to trek around that has a Terms of Use and a Privacy Policy that are quite typical of games of its type and no more onerous than any of the popular social media sites. So, what provisions are in the Terms of Use and Privacy Policy of Pokémon GO?

Terms of Use

Pokémon GO's Terms of Use (found at www.nianticlabs.com/terms/pokemongo/en and last updated on 07/01/16) are pretty standard. Arguably, the most privacy concerning provision found here is Niantic's requirement that users sign up with an existing Google, Facebook, or other "pre-existing third-party accounts" that Niantic allows. Niantic creates each user's account "by extracting from your ... account certain personal information (such as your email address) "that the user's privacy settings permit. This basic account information grab is no more intrusive than what many other mobile apps require for use.

For parents and others worried about children signing up and playing the game, Pokémon Go requires that the parents of children under 13 "register with The Pokémon Company International, Inc. "before an underage child's account can be created. This is pretty standard and is designed to comply with the parental consent requirements found in the federal Children's Online Privacy Protection Act (COPPA) and certain European data protection laws.

Privacy Policy

Niantic's Privacy Policy (found at www.nianticlabs.com/privacy/pokemongo/en and last updated on 07/01/16) contains certain provisions that some in the media and elsewhere have bemoaned but which are somewhat typical of mobile games these days.

First, like many other apps, Niantic collects personally identifying information or "PII" from each user which "can be used to identify or recognize you (or your authorized child)." Like in the Terms of Use, the Privacy Policy specifies that collected PII will include things such as a user's "Google email address ...and/or your Facebook registered email address. "A user's privacy settings with those platforms determines what information Niantic will gain access to. Niantic also collects other information such as user names and messages sent to other Pokémon GO players.

Second, like nearly every website online, Niantic uses "automated data collection tools such as Cookies" to tell when and how users are using Pokémon GO. Niantic's servers also automatically record "Log Data" which could include "a User's Internet Protocol (IP) address, user agent, browser type, operating system" and other information. All of this data, the Privacy Policy states, is collected primarily so Niantic can provide and improve its services. With mobile devices, Niantic collects information such as " a device identifier, user settings, and the operating system of your (or your authorized child's) device, as well as information about your use of our services while using the mobile device." Again, none of these types of information grabs are anything new or more intrusive than most other apps or mobile games these days.

Third, Niantic unsurprisingly collects location information (Pokémon GO is after all, an augmented reality game which relies on and is primarily about player location). Niantic collects and stores each user's location information using each device's cellular, Wi-Fi, and/or GPS signals. When Pokémon GO players "take certain actions during gameplay, [their] user name and location may be shared through the App with other users who are playing the game." Here too, Niantic's ability to know a user's location is no more intrusive than any other mobile app or game a user gives permission to track them through.

Next is the provision that's seemingly attracted the most attention in the media after location data – the sharing of user data with third parties. The Privacy Policy states that Niantic "may share aggregated information and non-identifying information with third parties for research and analysis, demographic profiling, and other similar purposes." Niantic admits that the information collected from users, including PII, "is considered to be a business asset." This should not surprise anyone. Like most mobile app developers, Niantic is a business that wants to generate revenue and be profitable. As such, no one should be surprised if Niantic shares or sells its user data to companies like Starbucks, McDonalds, or any other businesses that will pay to market and sell products and services to mobile game users, based on their location or otherwise.

Overall, there is nothing in either the Terms of Use or Privacy Policy that most Pokémon GO players haven't already agreed to many times over through the use of websites, other mobile apps and mobile games. In 2016, it would be naïve to expect Niantic or any other mobile app provider not to provide or sell anonymized user data to third parties as marketing demographic information or for other purposes. There may not be much privacy left in the digital age, but if any Pokémon GO users or potential users don't like Niantic's Terms of Use or Privacy Policy, there's still the choice of simply not downloading or playing the game. While players may be lured in by the fun of playing Pokémon GO, the only legal lures are standard ones.

About the Authors:

Maria Crimi Speth is a shareholder and intellectual property attorney at the Phoenix law firm of Jaburg Wilk. As chair of their intellectual property group, she has expertise in copyright law, trademark law, and Internet law. She focuses on litigation involving intellectual property rights and First Amendment rights. Ms. Speth is the author of the book, Protect Your Writings: A Legal Guide for Authors.

Michael B. Dvoren is an intellectual property attorney at the Phoenix law firm of Jaburg Wilk, where he assists clients with various intellectual property matters, including protection, enforcement, litigation and transactions. Both he and Maria assist clients with preparing terms of use and privacy policies.